gluetun: Bug: Firewall rule issue on Dietpi affecting all Docker containers

TLDR: Describe your issue in a one liner here

Is this urgent?
- Yes
- No
What VPN service provider are you using?
- PIA
- Mullvad
- Windscribe
- Surfshark
What’s the version of the program?

Running version latest built on 2020-06-05T23:32:45Z (commit e33a6a8)
What are you using to run the container?
- Docker run
- Docker Compose
- Kubernetes
- Docker stack
- Docker swarm
- Podman
- Other:
Extra information

Logs:

=========================================
================ Gluetun ================
=========================================
==== A mix of OpenVPN, DNS over TLS, ====
======= Shadowsocks and Tinyproxy =======
========= all glued up with Go ==========
=========================================
=========== For tunneling to ============
======== your favorite VPN server =======
=========================================
=== Made with ❤️  by github.com/qdm12 ====
=========================================

Running version latest built on 2020-06-05T23:32:45Z (commit e33a6a8)

📣  New VPN provider supported surfshark.com

🔧  Need help? https://github.com/qdm12/private-internet-access-docker/issues/new
💻  Email? quentin.mcgaw@gmail.com
☕  Slack? Join from the Slack button on Github
💸  Help me? https://github.com/sponsors/qdm12
2020-06-08T10:34:12.440Z	INFO	OpenVPN version: 2.4.8
2020-06-08T10:34:12.464Z	INFO	Unbound version: 1.9.6
2020-06-08T10:34:12.482Z	INFO	IPtables version: v1.8.3
2020-06-08T10:34:12.537Z	INFO	TinyProxy version: 1.10.0
2020-06-08T10:34:12.555Z	INFO	ShadowSocks version: 3.3.4
2020-06-08T10:34:12.556Z	INFO	Settings summary below:
OpenVPN settings:
|--Network protocol: udp
|--Verbosity level: 1
|--Run as root: no
|--Target IP address: <nil>
|--Custom cipher:
|--Custom auth algorithm:
PIA settings:
 |--User: [redacted]
 |--Password: [redacted]
 |--Region: netherlands
 |--Encryption: strong
 |--Port forwarding: off
System settings:
|--User ID: 1000
|--Group ID: 1000
|--Timezone:
|--IP Status filepath: /ip
DNS over TLS settings:
 |--DNS over TLS provider:
  |--cloudflare
 |--Caching: enabled
 |--Block malicious: enabled
 |--Block surveillance: disabled
 |--Block ads: disabled
 |--Allowed hostnames:
  |--
 |--Private addresses:
  |--127.0.0.1/8
  |--10.0.0.0/8
  |--172.16.0.0/12
  |--192.168.0.0/16
  |--169.254.0.0/16
  |--::1/128
  |--fc00::/7
  |--fe80::/10
  |--::ffff:0:0/96
 |--Verbosity level: 1/5
 |--Verbosity details level: 0/4
 |--Validation log level: 0/2
 |--IPv6 resolution: disabled
 |--Update: every 24h0m0s
Firewall settings:
 |--Allowed subnets: 192.168.1.0/24, 192.168.100.0/24
TinyProxy settings: disabled
ShadowSocks settings: disabled

2020-06-08T10:34:12.559Z	INFO	openvpn configurator: checking for device /dev/net/tun
2020-06-08T10:34:12.559Z	WARN	TUN device is not available: open /dev/net/tun: no such file or directory
2020-06-08T10:34:12.559Z	INFO	openvpn configurator: creating /dev/net/tun
2020-06-08T10:34:12.561Z	INFO	openvpn configurator: writing auth file /etc/openvpn/auth.conf
2020-06-08T10:34:12.561Z	INFO	routing: detecting default network route
2020-06-08T10:34:12.562Z	INFO	routing: default route found: interface eth0, gateway 172.17.0.1, subnet 172.17.0.0/16
2020-06-08T10:34:12.562Z	INFO	firewall configurator: accepting all traffic
2020-06-08T10:34:12.709Z	INFO	Launching standard output merger
2020-06-08T10:34:12.710Z	INFO	routing: adding 192.168.1.0/24 as route via eth0
2020-06-08T10:34:12.717Z	INFO	routing: adding 192.168.100.0/24 as route via eth0
2020-06-08T10:34:12.720Z	INFO	firewall configurator: clearing all rules
2020-06-08T10:34:12.921Z	INFO	firewall configurator: blocking all traffic
2020-06-08T10:34:12.934Z	INFO	firewall configurator: creating general rules
2020-06-08T10:34:13.097Z	INFO	firewall configurator: allowing output traffic to VPN server 46.166.138.143 through eth0 on port udp 1197
2020-06-08T10:34:13.101Z	INFO	firewall configurator: allowing output traffic to VPN server 46.166.138.157 through eth0 on port udp 1197
2020-06-08T10:34:13.105Z	INFO	firewall configurator: allowing output traffic to VPN server 46.166.186.218 through eth0 on port udp 1197
2020-06-08T10:34:13.109Z	INFO	firewall configurator: allowing output traffic to VPN server 46.166.186.232 through eth0 on port udp 1197
2020-06-08T10:34:13.113Z	INFO	firewall configurator: allowing output traffic to VPN server 46.166.186.233 through eth0 on port udp 1197
2020-06-08T10:34:13.118Z	INFO	firewall configurator: allowing output traffic to VPN server 46.166.188.193 through eth0 on port udp 1197
2020-06-08T10:34:13.122Z	INFO	firewall configurator: allowing output traffic to VPN server 46.166.188.216 through eth0 on port udp 1197
2020-06-08T10:34:13.126Z	INFO	firewall configurator: allowing output traffic to VPN server 46.166.188.244 through eth0 on port udp 1197
2020-06-08T10:34:13.130Z	INFO	firewall configurator: allowing output traffic to VPN server 46.166.190.184 through eth0 on port udp 1197
2020-06-08T10:34:13.135Z	INFO	firewall configurator: allowing output traffic to VPN server 46.166.190.197 through eth0 on port udp 1197
2020-06-08T10:34:13.138Z	INFO	firewall configurator: allowing output traffic to VPN server 46.166.190.201 through eth0 on port udp 1197
2020-06-08T10:34:13.142Z	INFO	firewall configurator: allowing output traffic to VPN server 46.166.190.235 through eth0 on port udp 1197
2020-06-08T10:34:13.147Z	INFO	firewall configurator: allowing output traffic to VPN server 85.159.236.214 through eth0 on port udp 1197
2020-06-08T10:34:13.151Z	INFO	firewall configurator: allowing output traffic to VPN server 85.159.236.219 through eth0 on port udp 1197
2020-06-08T10:34:13.155Z	INFO	firewall configurator: allowing output traffic to VPN server 109.201.152.14 through eth0 on port udp 1197
2020-06-08T10:34:13.160Z	INFO	firewall configurator: allowing output traffic to VPN server 109.201.152.26 through eth0 on port udp 1197
2020-06-08T10:34:13.164Z	INFO	firewall configurator: allowing output traffic to VPN server 109.201.152.245 through eth0 on port udp 1197
2020-06-08T10:34:13.168Z	INFO	firewall configurator: allowing output traffic to VPN server 109.201.154.141 through eth0 on port udp 1197
2020-06-08T10:34:13.172Z	INFO	firewall configurator: allowing output traffic to VPN server 109.201.154.144 through eth0 on port udp 1197
2020-06-08T10:34:13.177Z	INFO	firewall configurator: allowing output traffic to VPN server 212.92.104.164 through eth0 on port udp 1197
2020-06-08T10:34:13.185Z	INFO	firewall configurator: accepting input and output traffic for 172.17.0.0/16
2020-06-08T10:34:13.192Z	INFO	firewall configurator: accepting input traffic through eth0 from 192.168.1.0/24 to 172.17.0.0/16
2020-06-08T10:34:13.196Z	INFO	firewall configurator: accepting output traffic through eth0 from 172.17.0.0/16 to 192.168.1.0/24
2020-06-08T10:34:13.199Z	INFO	firewall configurator: accepting input traffic through eth0 from 192.168.100.0/24 to 172.17.0.0/16
2020-06-08T10:34:13.204Z	INFO	firewall configurator: accepting output traffic through eth0 from 172.17.0.0/16 to 192.168.100.0/24
2020-06-08T10:34:13.208Z	INFO	openvpn: starting
2020-06-08T10:34:13.208Z	WARN	http server: restartOpenvpn function is not set, waiting...
2020-06-08T10:34:13.211Z	INFO	openvpn configurator: starting openvpn
2020-06-08T10:34:13.214Z	WARN	http server: restartUnbound function is not set, waiting...
2020-06-08T10:34:13.221Z	INFO	openvpn: OpenVPN 2.4.8 armv7-alpine-linux-musleabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Feb  7 2020
2020-06-08T10:34:13.221Z	INFO	openvpn: library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
2020-06-08T10:34:13.232Z	INFO	openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]46.166.186.218:1197
2020-06-08T10:34:13.232Z	INFO	openvpn: UDP link local: (not bound)
2020-06-08T10:34:13.232Z	INFO	openvpn: UDP link remote: [AF_INET]46.166.186.218:1197
2020-06-08T10:34:13.232Z	INFO	openvpn: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
2020-06-08T10:35:13.838Z	INFO	openvpn: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2020-06-08T10:35:13.838Z	INFO	openvpn: TLS Error: TLS handshake failed
2020-06-08T10:35:13.838Z	INFO	openvpn: SIGUSR1[soft,tls-error] received, process restarting
2020-06-08T10:35:23.840Z	INFO	openvpn: TCP/UDP: Preserving recently used remote address: [AF_INET]46.166.188.244:1197
2020-06-08T10:35:23.841Z	INFO	openvpn: UDP link local: (not bound)
2020-06-08T10:35:23.841Z	INFO	openvpn: UDP link remote: [AF_INET]46.166.188.244:1197

Run Command(s) docker run -d --init --name=pia --restart always -e EXTRA_SUBNETS=192.168.1.0/24,192.168.100.0/24 -p 8112:8112 -p 58846:58846 -p 58946:58946 -p 30895:30895 -p 80:80 --cap-add=NET_ADMIN -e REGION="Netherlands" -e USER=***** -e PASSWORD=***** qmcgaw/private-internet-access

I have also tried minimal run command from doc docker run -d --name gluetun --cap-add=NET_ADMIN -e REGION="Netherlands" -e USER=**** -e PASSWORD=**** qmcgaw/private-internet-access

Host OS: Dietpi (Debian Buster 10.4)

Notes: Container does not seem to have connection to internet. All other containers also seem to loose internet connectivity when I run this container. In order to restore connectivity across my containers I have to stop and remove the PIA container and reboot host machine.

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 2
Comments: 24 (11 by maintainers)

Commits related to this issue

Update PIA servers IP addresses, refers to #171 — committed to qdm12/gluetun by qdm12 4 years ago
Add FIREWALL variable, refers to #171 — committed to qdm12/gluetun by qdm12 4 years ago
Remove firewall nat chain clearing, refers to #171 — committed to qdm12/gluetun by qdm12 4 years ago

Most upvoted comments

I’m curious too but don’t want to spend my next days digging on that 😄 It’s likely Docker though (the daemon) which doesn’t handle network isolation correctly on that particular os/kernel/cpu arch. Especially since your host still has connection but all the containers lose it. Anyway, let’s close this issue. If you ever find why I would be curious 😉 !

qdm12 on Jun 17, 2020

Amazing, it seems to the clearing of iptables rules that is messing with my network.

After i run following commands, the container looses internet connectivity:

docker run -it --rm --cap-add=NET_ADMIN alpine:3.11
apk add iptables
# clear rules
iptables --flush
iptables --delete-chain
iptables -t nat --flush
iptables -t nat --delete-chain

I went through them one by one to check at which command it actually looses internet and it seems to be after i run:

iptables -t nat --flush

nicolasbuch on Jun 14, 2020

I’ve added FIREWALL you can try to set to -e FIREWALL=off and it won’t touch iptables, let’s see if it works.

qdm12 on Jun 12, 2020

I will add an undocumented environment variable to disable the firewall, for debugging purposes. At least we’ll be able to find if it’s a firewall issue or not. I’ll comment back once it’s done.

qdm12 on Jun 12, 2020

Maybe you can give it a try with Armbian instead of DietPi on your Odroid

Yea that will be my next step if we can’t figure this out. I would just really like to have it working on Dietpi.

I had an HC1 myself running Armbian, never saw this issue on the Odroid

I have been running this setup for several years now on my XU4 (with Dietpi) and i never saw any issues like this either.

nicolasbuch on Jun 11, 2020